[4247] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Martin Mares)
Sat Aug 31 06:09:05 1996
From: Martin Mares <mj@k332.feld.cvut.cz>
To: mill0440@gold.tc.umn.edu (Henry W Miller)
Date: Sat, 31 Aug 1996 10:49:40 +0200 (MET DST)
Cc: linux-net@vger.rutgers.edu
In-Reply-To: <Pine.SOL.3.91.960830200116.8456A-100000@gold.tc.umn.edu> from "Henry W Miller" at Aug 30, 96 08:11:46 pm
Hello,
> After some thought I think that this would provide some relief: on
> reciving any syn, handle it normally, but also send a series of ICMP
> pings to the host. If after a short amount of time no pings come back
> assume the host is dead, and kill the connection. I theory a ping should
> get through quickly, so we at least know there is a valid host behind
> this ip address.
> This does not however help if the syn flooder picks valid ip addresses.
> but if the flooder picks a constant valid address we can also make a only
> one syn per host in the queue rule.
This would only generate lots of additional network traffic, not solving
the problem at all as anyone who knew we're doing it this way would choose
a large set of valid IP adresses, generating not only a SYN flood on your
machine, but also de facto misusing your machine to perform an ICMP
attack on the addresses he uses as the source.
Martin
